Install the Sumo Logic App

Now that you have set up collection for Amazon GuardDuty, install the Sumo Logic App to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage.

To install the app, do the following:

Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.

From the App Catalog, search for and select the app.

To install the app, click Add to Library and complete the following fields.

App Name. You can retain the existing name, or enter a name of your choice for the app.

Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.

Click Add to Library.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.

Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps.

Dashboards

Amazon GuardDuty - Overview

See the overview of GuardDuty threats including the severity, threat purpose, resource type, threat name, account ID, and region.

GuardDuty Threat Map. See the count of threats on a world map in the last 24 hours.

High Severity Threats Table. See the details of high severity threats in the last 24 hours including the time, account ID, region, resource type, description, and link, displayed in a table.

Severity Trend. See the trend of the various severity levels in the last 24 hours on an area chart.

Threats by ThreatPurpose, ResourceType, ThreatName. See the details of threats in the last 24 hours including the threat purpose, resource type, threat name, and count displayed in a table.

Threats by IP. See the count of threats by IP addresses in the last 24 hours on a pie chart.

Severity and AccountID. See the count of severity levels in the last 24 hours by Account ID on a bar chart.

Severity and Region. See the count of severity levels in the last 24 hours by region on a bar chart.

Severity and ResourceType. See the count of severity levels in the last 24 hours by resource type on a bar chart.

Amazon GuardDuty - CloudTrail Details

See the details of GuardDuty CloudTrail threats including the count, title, the trend, and action type.

CloudTrail Threats. See the count of CloudTrail threats in the last 24 hours.

CloudTrail Threats by Title Trend. See the count of CloudTrail threats by title in the last 24 hours on a pie chart.

CloudTrail Threats by Title Trend. See the trend of CloudTrail threats by title in the last 24 hours on a column chart.

CloudTrail Threats by Title Trend. See the details of CloudTrail threats by title in the last 24 hours including the threat purpose, resource type, threat name, accesskey ID, username, and count, displayed in a table.

CloudTrail Threats by Title, ActionType. See the details of CloudTrail threats in the last 24 hours including the account ID, region, title, accesskey ID, principal ID, action type, severity, and count, displayed in a table.

Amazon GuardDuty - Details

Outliers - All Threats. See the outliers in all threats in the last 24 hours on a line chart.

Threat Count by Account-Region Trend. See the trend of the count of threats by account-region in the last 24 hours on a column chart.

Threat Details Summary Table. See the details of threats in the last 24 hours including the title, account ID, resourcetype, organization, ISP, IP, link, and count, displayed in a table.

Threats by ThreatPurpose, Severity. See the count of threats in the last 24 hours by the severity and purpose on a bar chart.

Threats by ResourceType. See the count and percentage of threats in the last 24 hours by resource type on a pie chart.

Severity by LocalPort. See the count of severity by local port in the last 24 hours on a bar chart.

Threats by SecurityGroup. See the count and percentage of threats in the last 24 hours by security group on a pie chart.

Amazon GuardDuty - VPCs, Subnets, Security Group Details

See the details of GuardDuty threats by VPC, security group, and subnet ID.

Threat Type by VPC. See the count of threat type by VPC in the last 24 hours displayed on a bar chart.

Threats by SecurityGroup. See the count of threats by security group in the last 24 hours displayed on a pie chart.

Severity Count by SubnetID. See the count of severity in the last 24 hours by Subnet ID on a bar chart.

VPC, Subnet, and Security Group Threat Table. See the details of severity in the last 24 hours including the account ID, severity, region, VPC ID, Subnet ID, security group name and ID, threat purpose, resource type, threat name, and count, displayed in a table.